Hello there. First post. I had done a few web searches, but I was curious to know how all fellow pen testers keep their "noise" to a minimum.

Take the following for example, there is a web application you would like to test, but running something such as DirBuster, or SkipFish would create megs of logs it would be hard for the server admin to miss if they were paying attention.

Rather then customizing open source tools to dumb down the number of requests it makes to a web-server, I was wondering how you fellow ethical hackers do a low level reconnaissance to exploitation.

My inexperienced .02, any public webservers are going to get so many alerts that your scan won't cause much concern, if they see it, they are likely to just block you. But if you want to avoid that or want to test internal, you'd probably want to try manual exploitation attempts rather than a tool.

It's unlikely that activity would get noticed unless they're actively working with the logs at the time, but more mature environment/more advanced controls may detect repeated 404s and blacklist the source IP or do things like intercept and respond to all requests with 200 messages.

The latter often works a lot better for specific, targeted attacks than noisy scanning/enumeration attacks. Maybe you can fragment packets in such a manner that avoids IDS detection, but when they're reassembled into an HTTP GET request, the web server is still going to log the request. However, maybe you can find ways around that as well. For example, maybe the web server will disclose the existence of an item through a less common request (TRACE, DELETE, etc.) that the server isn't configured to log.